

DEF CON 9 - Open Letter to the community

First off let me thank everyone who made DC 9 a success. This includes not
only the staff, but all of the speakers, A/V, Network, DJs, and attendees.
Without everyone working together the convention could not function. Thank
you all for making our largest convention also the smoothest convention in
comparison to past years!

Having just finished my 9th DEF CON, I have a few thoughts - I am looking
for feedback from the community to help decide the next steps for the
future of DEF CON.  First, let me give you a brief history so you can see
where I am coming from and to allow you to decide where you think we should
go in future shows.

I have long thought that DEF CON cannot last forever in its current form
due to several factors: Growth, Core Attendees, and the changing nature of
the technology underground.

GROWTH

Growth causes all kinds of problems. The incredible and exponential growth
of DEF CON makes it more and more difficult to comprehend the ramifications
of running such a large conference. It requires more people to be involved
in organizing the show, more insurance to cover more damage, more planning,
more Con events, and more volunteer staff to make things run more smoothly.

Around DEF CON 5, I came up with two possible theories on how growth would
play out for future shows. The first is that at a certain point, the number
of people not returning to the Con would equal the number of new people
attending, and there would be a zero growth rate. This would allow us to
predict and plan around a set attendance amount, making it easier to plan
the show.

My second theory was that attendance would continue to grow until it
reached a critical mass and everything melted down. Not enough space, not
enough food, too many new people and not enough attendees from previous
years to help run the show, etc. It is harder to tell when this scenario
occurs because every year there are always problems and fires to put out
since nothing ever goes the way you plan.

In order to try and deal with the growth issue I decided before DEF CON 8
that I would stop advertising the convention except on the DC-STUFF mailing
list. The idea was to only let the show grow by word of mouth. I hoped
that this would slow the growth rate, and at the same time attract people
that would be interested in the scene. Advertise to a generic forum like
USENET and anyone might show up. Let it spread by word of mouth and you
should get more people like the current attendees.

As you know (if you attended DC 9) it hasn't happened that way in real life.
Even though the only advertising for DC 8 was one mention in 2600, and no
advertising for DC 9 we still managed to grow by leaps and bounds. Things
have not slowed down as initially predicted and we reached over 5,100 people
at DC 9 - about 900 more than DC 8. Long ago we decided we would let anyone
who wanted to attend show up.  We are not in the business of censorship or
exclusivity. The only people not invited back have been people that pissed
off the hotel enough to have them kicked off-property.

My final thought for now on growth? The show has reached a point where it is
too big for its own good and I am not sure what to do about this. As the
show has grown, so has the amount of stress for all involved in both the
planning and running of DEF CON. The Con is meant as a fun party of
like-minded people, not a cause for ulcer-inducing stress. I designed the
convention to withstand a certain amount of chaos and problems, but it was
never designed to withstand people calling for violence to staff members and
property damage to the hotel.  

CORE ATTENDEES


The Core Attendees of DEF CON is the second reason related to why I don't
think the show can last forever. What I mean by "core attendees" are the
people who come to the show to pow wow about computer security and the lack
thereof. The people who have attended DEF CON for 4 years or more - who 
won't view DEF CON solely as one giant rave for music, drugs and sex and know
that the party atmosphere is simply a fringe benefit to the original intent
of the show.

As the show grows and changes, some of the core attendees that have been
traveling to DEF CON for the last several years stop showing up. If the hard
core coders, programmers, and hackers no longer attend leaving and only
newbies, then the conference has completely lost its point.  Remember - I
started DEF CON to be a party for myself, friends, and the technology
underground. It is not meant to be an everlasting event or a summer camp for
every kid who owns a computer.  If my friends stop attending because the
show is too large or has an incredibly skewed signal-to-noise ratio
(emphasis on the noise), then the point to DEF CON is gone.

How do you measure core attendees?  It's difficult to explain but after being
involved in the scene for so long, you learn to figure out who's an old
school hacker and who's along for the ride.  Do things to alienate your
friends and you can be sure that the show will be forever changed.  Some of
the alienation occurs due to growth, and some occurs just because people
grow up and move on to other things.  This feeds into my third point.

EVOLUTION OF THE TECHNOLOGY UNDERGROUND

The changing nature of the technology underground has caused DEF CON to
change as well. When I started the show there were no real jobs for people
our age in computer security. LD phone calls were expensive, UNIX was not
free, the only people with good Internet access were Universities and
businesses, and PCs still cost quite a bit of cash.  The Web was not
sprouting up "Teach me how to hack" sites every other minute, and there was a
considerable amount of misinformation surrounding hacking floating about.

Now things are exactly the opposite. Money entered the underground scene
around DC 4, and since then, things have changed rapidly. There are plenty
of good and bad books teaching computer security, and there are thousands Web
sites dedicated to hacking. If you don't have a felony and are dependable you
can get a job in computer security.  LD calls are cheap, all the Internet you
can eat is about $20, UNIX-style operating systems are free, and computer
prices are so cheap that you can build and attack your own network for very
little money.  The mentoring process of the "old school" underground is mostly
gone now. The original motivations of breaking into a university to get
Internet access have changed and with each new age group of kids, using a
computer becomes more of a key role of the educational process. Hackers and
computer geeks are no longer a small niche in society but now the norm,
resulting in an even more fragmented community, generating an entirely new set
of definitions for "hard core" and "mainstream".

Each of these three changes are reflected in the attendees at DEF CON with
every new show. As more people were exposed to computers and hacking, more
people attended in exponential amounts and as the reasons for why people
hacked changed, so did the mentality of the new generations attending the show.

NEW ITEMS

In planning DEF CON 9, I made some decisions to reduce the stress on the
volunteer staff.  Instead of having 8 volunteers registering people all Friday
long, I decided to hire some outside people to handle this chore for Thursday,
Friday and Saturday.  Instead of having these same volunteers check badges of
people, I hired more hotel security to do this.  Why have your staff stand in
the 110 degree heat if you can pay someone else to?

There have been some comments about how DC 9 seemed to be under "tighter" control
because of the additional security guards as opposed to past years.  The problem
is that the hotel does not allow us to hire outside rent-a-cops.  We have to hire
their security staff and when you hire said staff a certain amount comes with
guns. So it was a trade off - pay more to get hotel security to save my
hard-working volunteers from boring, repetitive work.  DEF CON volunteers work
very hard, so we tried experimenting with the hotel guards and the outside
registration people. The idea is to reduce the workload of your peers who come
to DEF CON to help out in anyway they can to make sure you have a good time.
With a bigger show this year we spent more on outside help.  I like this model
of relieving stress on the staff, and will try it again, with some tweaks, at
future shows.

Because the hotel is providing the security, they are not under DEF CON direct
control.  Sure we can ask them to go easy on people, but if they catch people
messing with the hotel we can't control them.  For example, if someone is caught
damaging the hotel and hotel security finds out, things get out of our control
pretty fast.  Their concern is their hotel, not the happiness of our attendees at
that point.  At DC 9 we actually had to talk the hotel out of calling Las Vegas
Metro Police and getting two people arrested.  We don't need more hackers with
criminal records, and if we can help it we will.  In one instance two people did
get in trouble with the police, but they had previously gotten in trouble with
the hotel at DC 8 for stealing, and were not supposed to be back on hotel
property.

Remember, DEF CON is a self-organizing group of people, largely with out any
oversight or control.  Everyone is operating under their own responsibility with
the staff there to help people out who need it.  If the community can't keep
themselves in check, we won't do it for you, and the Con will go away.  I don't
want, nor can afford, to have staff and guards to take care of every little
problem.  That's not the point of the Con.  They are there for bigger problems
than traffic guard duty.  For example, there were some medical emergencies this
year, and the staff most likely saved a life.  
 
CHANGES WITH DEF CON

I decided to close the vendor area at 7pm this year so the people with tables
could get some actual sleep with out having to worrying about their stuff.  I
decided to pay more to allow for greater wireless network access coverage so
attendees didn't have to be concentrated and crowded in the immediate conference
area to have net access.  We even rented an additional tent for the hotel roof to
hold more people.  Finally, we managed to talk the hotel into reducing its costs on
food and drink.

While I don't think DEF CON is quite dead, I do think it is time for even more
changes to stave off a quick and painful death - "Evolve or die" comes to mind.
We spend a lot of time deciding on what changes to make each year to help things go
smoother for everyone.  In light of this year's show, I have decided to ask the
community for their input.

If you have suggestions on what changes or additions you'd like to see at DEF CON
for next year, please email suggestions@defcon.org.

We are looking for your opinion on how to manage growth, speaking topics, events,
and ideas to keep the con from getting out of control due to its size, etc.  Heck,
all suggestions are welcome.

Suggestions already being discussed include:

- There will be no overlap of other groups with DEF CON. From Thursday evening to
  Monday Afternoon only DEF CON attendees wil be able to check in.  This will
  hopefully prevent the types of problems we had Sunday night when there were
  other groups on-site.

- A different way of dealing with hotel and con security.

- Speaker selection (Filter out poor speakers and bad talks)

- How to deal with rapid network growth


We're looking forward to you comments, and thank you for taking the time to send
them in.

The Dark Tangent (aka Jeff Moss)

